Performance improvement in blacklist function #1148
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Before fix (scanning cpython): After fix: |
The blacklisting function is currently using fnmatch.fnmatch() to do matching of qualified names of blacklist calls. It seems it is only used for telnetlib and ftplib where they are setting the qualified name in a file glob style (telnetlib.*). This change would slightly break backward compatibility if there are any third-party plugins that use globbing in the qualified names for blacklisting. I think the likelyhood is small. I also think it is better to be more explicit in the qualified name patterns. In the case of ftplib, FTP is insecure, but FTP_TLS is not. So this already is resolving one false postive. The other effect of this change is a slight boost to performance. When scanning cpython prior to this fix, it would take around 1 min. After the fix, closer to 50 seconds. So a nice little bump in speed. Fixes: PyCQA#438 Signed-off-by: Eric Brown <[email protected]>
ericwb
added a commit
to ericwb/bandit
that referenced
this pull request
Jun 23, 2024
This change adds an FTP_TLS call to the examples. A high severity error is no longer reported as a result of the fix in PR PyCQA#1148 that explicitly now matches blacklist call qualified names rather than using a file glob. However, you will notice that there is one more high severity issue reported in the tests as a result of the import of ftplib.FTP_TLS because the blacklist import is only checking for "ftplib". Fixes: PyCQA#148 Signed-off-by: Eric Brown <[email protected]>
|
Merging, as this is a dependency for approved PR #1149 |
ericwb
added a commit
that referenced
this pull request
Jun 24, 2024
* Performance improvement in blacklist function The blacklisting function is currently using fnmatch.fnmatch() to do matching of qualified names of blacklist calls. It seems it is only used for telnetlib and ftplib where they are setting the qualified name in a file glob style (telnetlib.*). This change would slightly break backward compatibility if there are any third-party plugins that use globbing in the qualified names for blacklisting. I think the likelyhood is small. I also think it is better to be more explicit in the qualified name patterns. In the case of ftplib, FTP is insecure, but FTP_TLS is not. So this already is resolving one false postive. The other effect of this change is a slight boost to performance. When scanning cpython prior to this fix, it would take around 1 min. After the fix, closer to 50 seconds. So a nice little bump in speed. Fixes: #438 Signed-off-by: Eric Brown <[email protected]> * Add test for usage of FTP_TLS This change adds an FTP_TLS call to the examples. A high severity error is no longer reported as a result of the fix in PR #1148 that explicitly now matches blacklist call qualified names rather than using a file glob. However, you will notice that there is one more high severity issue reported in the tests as a result of the import of ftplib.FTP_TLS because the blacklist import is only checking for "ftplib". Fixes: #148 Signed-off-by: Eric Brown <[email protected]> --------- Signed-off-by: Eric Brown <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The blacklisting function is currently using fnmatch.fnmatch() to do matching of qualified names of blacklist calls. It seems it is only used for telnetlib and ftplib where they are setting the qualified name in a file glob style (telnetlib.*).
This change would slightly break backward compatibility if there are any third-party plugins that use globbing in the qualified names for blacklisting. I think the likelyhood is small. I also think it is better to be more explicit in the qualified name patterns. In the case of ftplib, FTP is insecure, but FTP_TLS is not. So this already is resolving one false postive.
The other effect of this change is a slight boost to performance. When scanning cpython prior to this fix, it would take around 1 min. After the fix, closer to 50 seconds. So a nice little bump in speed.
Fixes: #438